ipv6: check raw payload size correctly in ioctl
authorJamie Bainbridge <jbainbri@redhat.com>
Wed, 26 Apr 2017 00:43:27 +0000 (10:43 +1000)
committerWilly Tarreau <w@1wt.eu>
Tue, 20 Jun 2017 12:04:54 +0000 (14:04 +0200)
commit 105f5528b9bbaa08b526d3405a5bcd2ff0c953c8 upstream.

In situations where an skb is paged, the transport header pointer and
tail pointer can be the same because the skb contents are in frags.

This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a
length of 0 when the length to receive is actually greater than zero.

skb->len is already correctly set in ip6_input_finish() with
pskb_pull(), so use skb->len as it always returns the correct result
for both linear and paged data.

Signed-off-by: Jamie Bainbridge <jbainbri@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
net/ipv6/raw.c

index 989bd798798563fe54142d85998041bec50f51cb..c7ce2be09d90d36bcbe52e510772c2ae6143bc6c 100644 (file)
@@ -1133,7 +1133,7 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg)
                spin_lock_bh(&sk->sk_receive_queue.lock);
                skb = skb_peek(&sk->sk_receive_queue);
                if (skb != NULL)
-                       amount = skb->tail - skb->transport_header;
+                       amount = skb->len;
                spin_unlock_bh(&sk->sk_receive_queue.lock);
                return put_user(amount, (int __user *)arg);
        }